Sharing cybersecurity information between the government and private sector won’t do much good if neither side trusts the other.
“Information sharing” has long been proposed by executives at U.S. companies and agency leaders in Washington as a necessary step in helping both sides keep ahead of hackers. The quick, reliable transmission of threat data, attacker objectives and the latest break-in techniques should be a key component of how security teams in the public and private sectors protect their systems.
But in reality, it’s not that easy. There are multiple reasons why companies can be reluctant to send sensitive information to the feds. There’s still a lingering sense of unease between Washington and Silicon Valley, Matt Olsen, chief trust and security officer at Uber, said Thursday at CyberTalks, a CyberScoop event. He traces it to former National Security Agency contractor Edward Snowden’s leaks of documents detailing government espionage on U.S.-built technology.
“What’s the obstacle to all this? It’s this trust deficit that we’ve had lingering since post-Snowden from six years ago,” he said, adding that government and industry also were wary of each other before the NSA leaks began.
“I think the government has made some strong steps forward in regaining the trust of the American people on around intelligence collection,” he went on. “I think it’s done a good job rebuilding our relationships with our allies, but it has not done enough. We have not gone far enough as a country in regaining that trust between Washington, D.C., and the technology community where so much of this innovation takes place.”
While an increase in the number of NSA cyber specialists taking jobs in the private sector and government transparency efforts represent improvements, Olsen said, national security officials and private companies have different goals in cyberspace.
One former FBI official not authorized to speak on the record told CyberScoop that organizations victimized by skilled hackers would chafe at bureau expectations to allow outsiders to continue lurking in their networks in order to gather evidence, while the breached company would hope to restore normalcy as soon as possible. In other cases, the former bureau official said, corporate security teams would provide details to the government, only to learn that those same details had been classified.
One way to improve information sharing might be to provide additional context, not just indicators of compromise and technical details about an attackers’ command-and-control infrastructure, Chris Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, suggested in separate remarks at Cyber Talks Thursday.
“Information sharing, when placed in the appropriate context, can make all the difference in a decision that a [chief information security officer] makes,” he said. “If you think it’s a nation-state actor, and you’re a CISO experiencing an event, it’s going to make a difference when you’re thinking about who staffs the [security operations center] over the weekend.”